[sami] 答复: A new draft on state migration use cases is submitted.

["Yingjie Gu(yingjie)" <guyingjie@huawei.com>]

I would say that the goal of this test should not be regarded as a proof to
show which model is better, security functions deployed inside of
server/Hypervisor or outside. People need to choose a way based on their
real scenario.

 

I think there are some knowledge that should be the base of SAMI, they are:

 

1. IT staff in DCs or in enterprise networks hope to see clear edge of
Network and Computing. That is let the Network do the network things,e.g.
forwarding and security, and Servers do the computing things. Argument
exists in this topic, but at least some providers we know of show the
requirements on clear edge. 

 

2. Some large ISPs we talked with, who are also DC service providers,
require to move additional network functions to network side, so that they
can save CPU processing capability to create more VMs, and selling VMs is
the way they can earn money. 

 

(The performance test results, if we have, can be used as a side proof to
support DC providers' requirements.)

(I know some IDC/DC providers register this mail list, and I really look
forward to hear their opinions)

 

3. There are many existing DCs where ACLs and firewalls are deployed on
network side. Hypervisor can run some part of security functions, but not
all of the security functions are deployed on Hypervisor. 

 

4. Even for the security functions deployed on Hyperviser, not all of the
Hypervisor vendors can support state live migration. This is another reason,
mentioned by Ming also, why people want to move network functions to
network.

 

Of course, I am willing to hear people's opinions on these knowledge.

 

If we agree on the above knowledge, we can move forward, to discuss whether
the states and scenarios make sense to you, 

 

 

  _____  

Best Regards
Gu Yingjie

 

发件人: A tao [mailto:yangjingtao@gmail.com] 
发送时间: 2011年10月12日 乐乐0:02
收件人: Juergen Schoenwaelder
抄送: 卓志强(研七 福州); Linda Dunbar; 刘茗(研六 福州); Yingjie Gu(yingjie);
sami@ietf.org
主题: Re: [sami] A new draft on state migration use cases is submitted.

 

No doubt that a performance test results can help people to understand, to
some extent, why there are requirements and implementations to move security
functions, such as firewall/DHCP snooping/ACLs, out of Hypervisor or
servers.

 

If Ming can provide this results, that will be best. 

 

We don't have the data but we also talked with DC providers, and they gave
me an example to explain why they want the firewall being executed by
network side. They deployed a VM to run Firewall functions on a x86 server.
And by test, they find the firewall consumes more than large amount of CPU
capacity which otherwise can be used to support 2-3 VMs. I don't get the
real data and the test situation, this is only a information. 

 

2011/10/11 Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>

On Tue, Oct 11, 2011 at 06:06:34AM +0000, 卓志强(研七 福州) wrote:
> I have the following documents to get some reference data,
> http://people.netfilter.org/kadlec/nftest.pdf
>
> The "filtering rules" is like ACLs. As the numbers increase, the
> performance of different software have declined.

Your proposition is that moving filtering rules from the endpoint (the
hypervisor) into the network is cheaper and easier to scale. To make
any sense of the above quoted document, I would need to know what the
performance of middleboxes is going to be and I would need to know how
many hypervisors are going to be behind a middlebox. If its lets say
1:10 (one switch to ten hypervisors), then the middleboxes would need
to outperform a kernel software filter by a factor significant larger
than 10. I guess you have done this calculation so it should be easy
to provide a concrete data point.

Once the scalability trade-off is clear, one can look at the costs of
the various options (essentially more hypervisors vs. fancier switches
that peak into L4 and perhaps even beyond). I would love if problem
statement documents would go into exactly this level of detail.


/js

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>